The California Consumer Privacy Act (CCPA) was enacted on January 1, 2020. CCPA is a comprehensive consumer data legislation that increases privacy protections for California residents. However, large organizations with more than $25 million in gross annual revenue or those with information on 50,000 consumers may get a HIPAA exemption, meaning they may not be subject to CCPA requirements.
There are similarities in the rights of individuals in CCPA, HIPAA, and other data protection regulations, but each legislation differs in the data it covers. Determining and applying the actual scope of exemptions in CCPA and HIPAA is a challenging and vital process for companies working in the healthcare industry.
What is the California Consumer Privacy Act (CCPA)?
CCPA is the legislation that governs how the personal information of California residents is collected, sold, processed, used, and managed. The legislation created new consumer rights regarding access to personal information held by businesses. CCPA gave Californians greater rights to control how companies process, use, sell, collect, disclose and share their data.
CCPA expresses personal information as any information that directly or indirectly identifies, relates, describes, can be associated with, or links to a specific consumer or household. Personal information includes social security numbers, demographic information, financial account information, biometric data, internet browsing, and search histories.
Who does the California Consumer Privacy Act (CCPA) apply to?
CCPA regulates businesses that fulfill specific requirements. A corporation must first do business in California, but that does not mean a company must have a physical presence in or be incorporated in California. To do business in California, a business must direct one or more activities to consumer residents of California. In addition to doing business in California, corporations must:
Operate for profit
Collect personal information from California residents or on their behalf
Determine the purposes and means of processing this information.
California lawmakers aimed to target companies that, in addition to meeting the above requirements, have significant sales, hold substantial amounts of Protected Health Information (PHI), or generate considerable revenue from the sale of personal information. Therefore, in addition to the above requirements, to be regulated by CCPA, a business must:
Earn gross annual income over $25 million.
Alone or in combination, buy, receive, sell, or share the personal information of 50 thousand or more consumers, households, or devices annually.
Earn more than 50% of annual revenue from selling personal information (whether it’s $25 or $25 million)
How does CCPA affect HIPAA-compliant businesses?
Although broad in scope, CCPA has certain HIPAA exceptions. For example, CCPA does not apply to medical information defined in the California Confidentiality of Medical Information Act (CMIA) or PHI collected by a covered entity or business associate as defined in HIPAA.
The CCPA’s HIPAA exemption is designed to allow affected companies and business partners to continue to comply with the privacy requirements outlined in HIPAA without additional legal intervention. Organizations exempt from CCPA must maintain patient information in the same manner as PHI under HIPAA.
What are the HIPAA exemptions in CCPA?
CCPA contains two key HIPAA points — the provisions that exempt information and businesses that CCPA would otherwise regulate.
PHI collected for treatment, payment, or healthcare will qualify for the CCPA HIPAA exemption. However, health information collected for other purposes is not covered by the CCPA’s HIPAA exemption and will be subject to the CCPA’s stricter data protection laws.
Covered Entities subject to the HIPAA Privacy, Security, and Notification Rules are exempt from CCPA, provided the Covered Entity appropriately protects PHI under HIPAA. That means an affected entity is not fully compliant with CCPA if it fails to comply with one or more HIPAA regulations.
What are the health data exclusions under CCPA?
Health data exclusions don’t just apply to HIPAA. For example, CCPA excludes health information subject to other privacy laws, such as CMIA. Also, data collected as part of a clinical trial is not restricted as they are already regulated by Common Rules, Good Clinical Practice (GCP) guidelines, or Food and Drug Administration (FDA) requirements.
For-profit healthcare organizations cannot ignore CCPA because they routinely collect personally identifiable information (such as credit card information) that is not covered by the PHI exemption. Most healthcare organizations have websites collecting visitor data, which is still subject to CCPA.
Information that is not considered PHI and may be subject to the CCPA regulations includes health app information and marketing data. Health data from apps developed by companies other than covered entities or business associates that enable patients to monitor their health and collect data is not considered PHI. Additionally, information collected from companies that are not CEs or BAs for marketing purposes only is not PHI and, therefore, subject to the CCPA regulations.
Are the CCPA and HIPAA de-identification requirements the same?
Although protected health information covered by HIPAA is not subject to CCPA, the exception does not prevent covered entities or individuals processing PHI from having to consider CCPA for other data. This is especially relevant to de-identified PHI. Once an acceptable level of anonymization has been achieved, health information is no longer considered protected health information under the HIPAA de-identification standards. It may then be deemed exempt from CCPA.
However, HIPAA’s requirements differ slightly from CCPA requirements, and de-identified HIPAA PHI may still constitute CCPA Personal Information and be subject to CCPA. Although CCPA has an exemption for de-identified data, unlike HIPAA, there is far less guidance on achieving it. HIPAA had time to evolve standards, guidance, and publications that developed acceptable levels of risk that CCPA did not.
Businesses that previously relied on de-identified HIPAA data may also need to consider another de-identification review if the data comes from California residents, as only PHI is subject to CCPA HIPAA exemption. Data de-identified under HIPAA standards may still need to be CCPA-compliant because of different reidentification thresholds. This could mean further statistical analysis, documentation, and input from legal and compliance teams.
What are the legal risks of CCPA and HIPAA?
As mentioned earlier, CCPA does not cover aggregated and de-identified data. However, such data comes with certain risks. For example, it can still identify individuals even after aggregated data (for example, analysis of business metrics, aggregate trends, or other insights) has been collected.
Under the information part of the CCPA HIPAA exemption, data collected for treatment and payment is exempt when used for healthcare activities. However, most organizations also use this data for other purposes (such as analysis for different business needs). To do this, they use data aggregation systems to compile and anonymize the data. Therefore, the data generated may not be as anonymous as intended and may still be traceable to an individual, depending on the system used. And as discussed above, the de-identifications vary between CCPA and HIPAA.
Additional complications may arise due to other consumer rights under CCPA. For example, if consumers request that their data be deleted, organizations must comply. It needs to be localized and extracted if used in an aggregated dataset. Not only will this affect the accuracy of the analysis, but it will also prove to be complicated.
Unlike HIPAA, CCPA allows consumers to bring a civil action against businesses, meaning that improper aggregation creates legal risks. Any healthcare organization that relies heavily on aggregated data needs to work with experts who can ensure proper de-identification. Tools and processes need to output data that cannot be used to re-identify patients and be able to extract specific data at the request of consumers easily.
CCPA does not automatically exempt all data-related processes of covered entities and business associates, only those compliantly handling PHI under HIPAA requirements. Non-PHI data maintained by a covered entity in the same manner as PHI under HIPAA is also exempt. Still, the scope of that exemption is unclear – BAs are not explicitly listed in the exemption.
Therefore, companies subject to HIPAA should carefully analyze what patient information they hold as PHI and what patient information they have outside HIPAA. For example, information obtained under specific licenses, types of research data, or other HIPAA-exempt details (such as employee compensation data) may not be subject to HIPAA or maintained in the same manner as PHI. This data may not qualify for a CCPA exemption.
CCPA and HIPAA have significant implications for the healthcare industry, but by adhering to modern IT security standards, healthcare providers can reduce internal and external threats to their PHI. However, lack of encryption, insecure communication channels, and inconsistent access controls are common problems with healthcare software. Even something as trivial as a push notification can lead to a HIPAA violation, and developing secure and HIPAA-compliant software is always a challenge.
At Itirra, we know how to build secure software for healthcare companies that need it. Our team has extensive experience in building comprehensive healthcare solutions. Contact us today to learn how to achieve and maintain HIPAA compliance while building software for your business.